A Hybrid Anomaly–Rule–Pattern Detection Framework for Streaming-Based Persistent Intrusion Detection

Abstract

Contemporary network systems suffer stealthy, persistent cyber-attacks such as low-rate distributed denialof-service (DDoS) attacks and slow brute force logins which can commonly elude traditional intrusion detection systems (IDS). This paper demonstrates the Hybrid Anomaly–Rule–Pattern Detection Framework for Streaming-Based Persistent Intrusion Detection to improve the system resilience against persistent threats. The model incorporates three cooperating modules: Anomaly Detection Module, which adopts unsupervised outlier methodologies (Isolation Forest, LODA and HBOS) for statistical deviation detection;Rule-Based Module that encapsulates Snort-3.0 style signatures together with behavioral heuristics of known attack classes; and finally the Pattern Recognition Module which employs hierarchical clustering with cosine similarity to link recurring temporal behaviors across sliding windows. Weighed Ensembles of multi-source alerts are fused to high-confidence Meta-Alerts in real-time. Experiments on a setof benchmarks CICIDS2017 and UNSW-NB15 show performance improvements over baseline SOAAPR, which yields Precision = 91.3%, Recall = 94.2%, F1-score = 0.93, False Positive Rate = 3.7%, Detection Latency = 1.21 s and Persistent Attack Detection Rate=88.4%. The statistic analysis results show thatthe hybrid approach composed of statistical, rule-based and temporal pattern analyses implemented with modular streaming architecture has a very higher accuracy and flexibility in detecting stealthy or emerging cyber threats than in traditional real-time networking environment.

Author Biography

Mahmood A. Al-Shareeda, Department of Electronic Technologies, Basra Technical Institute, Southern Technical University, Basra, 61001, Iraq

Department of Electronic Technologies, Basra Technical Institute, Southern Technical University, Basra, 61001, Iraq

References

A. Pakmehr, A. Aßmuth, N. Taheri, and A. Ghaf-

fari, “Ddos attack detection techniques in iot net-

works: a survey,” Cluster Computing, vol. 27,

no. 10, pp. 14 637–14 668, 2024.

O. M. A. Ali, R. A. Hamaamin, B. J. Youns,

and S. W. Kareem, “Innovative machine learning

strategies for ddos detection: A review,” UHDJournal of Science and Technology, vol. 8, no. 2,

pp. 38–49, 2024.

P. Shukla, C. R. Krishna, and N. V. Patil, “Iot

traffic-based ddos attacks detection mechanisms:

A comprehensive review.” Journal of Supercom-

puting, vol. 80, no. 7, 2024.

H. M. Alqahtani and M. Abdullah, “A review on

ddos attacks classifying and detection by ml/dl

models.” International Journal of Advanced Com-

puter Science & Applications, vol. 15, no. 2, 2024.

D. M. A. A. Afraji, J. Lloret, and L. Pe˜nalver,

“Deep learning-driven defense strategies for mit-

igating ddos attacks in cloud computing envi-

ronments,” Cyber Security and Applications, p.

, 2025.

H. Satilmi¸s, S. Akleylek, and Z. Y. Tok, “A

systematic literature review on host-based intru-

sion detection systems,” Ieee Access, vol. 12, pp.

237–27 266, 2024.

M. Jain and A. Srihari, “Comparison of machine

learning algorithm in intrusion detection systems:

A review using binary logistic regression,” Au-

thorea Preprints, 2025.

Authors

  • Lamyaa Ghaleb Aldawood
  • Zainab Mohammed Jiwar
  • Ethar Abduljabbar Hadi
  • Mahmood A. Al-Shareeda Department of Electronic Technologies, Basra Technical Institute, Southern Technical University, Basra, 61001, Iraq
  • Mohammed Almaayah

DOI:

https://doi.org/10.31449/inf.v49i36.12171

Downloads

Published

12/20/2025

How to Cite

Aldawood, L. G., Jiwar, Z. M., Hadi, E. A., Al-Shareeda, M. A., & Almaayah, M. (2025). A Hybrid Anomaly–Rule–Pattern Detection Framework for Streaming-Based Persistent Intrusion Detection. Informatica, 49(36). https://doi.org/10.31449/inf.v49i36.12171

Issue

Vol. 49 No. 36 (2025): Online-only issue

Section

Online-only

License

I assign to Informatica, An International Journal of Computing and Informatics ("Journal") the copyright in the manuscript identified above and any additional material (figures, tables, illustrations, software or other information intended for publication) submitted as part of or as a supplement to the manuscript ("Paper") in all forms and media throughout the world, in all languages, for the full term of copyright, effective when and if the article is accepted for publication. This transfer includes the right to reproduce and/or to distribute the Paper to other journals or digital libraries in electronic and online forms and systems.

I understand that I retain the rights to use the pre-prints, off-prints, accepted manuscript and published journal Paper for personal use, scholarly purposes and internal institutional use.

In certain cases, I can ask for retaining the publishing rights of the Paper. The Journal can permit or deny the request for publishing rights, to which I fully agree.

I declare that the submitted Paper is original, has been written by the stated authors and has not been published elsewhere nor is currently being considered for publication by any other journal and will not be submitted for such review while under review by this Journal.  The Paper contains no material that violates proprietary rights of any other person or entity. I have obtained written permission from copyright owners for any excerpts from copyrighted works that are included and have credited the sources in my article. I have informed the co-author(s) of the terms of this publishing agreement.


Copyright ©  Slovenian Society Informatika